[SCM] Debian package checker branch, master, updated. 2.3.1-26-g7928943
The following commit has been merged in the master branch:
commit cb8dbe5f5dfbd3650aae9e598f45f38a08fa2f51
Author: Raphael Geissert <atomo64@gmail.com>
Date: Wed Jan 20 14:14:01 2010 -0600
Fix CVE-2009-4015, arbitrary command execution
File names were not properly escaped when passing them as arguments to
certain commands, allowing the execution of other commands as pipes or
as a set of shell commands.
diff --git a/checks/files b/checks/files
index 70b2cb8..9e2a0aa 100644
--- a/checks/files
+++ b/checks/files
@@ -753,7 +753,7 @@ foreach my $file (sort keys %{$info->index}) {
# ---------------- embedded Feedparser library
if ($file =~ m,/feedparser\.py$, and $pkg ne "python-feedparser") {
- open(FEEDPARSER, "unpacked/$file") or fail("cannot open feedparser.py file: $!");
+ open(FEEDPARSER, '<', "unpacked/$file") or fail("cannot open feedparser.py file: $!");
while (<FEEDPARSER>) {
if (m,Universal feed parser,) {
tag "embedded-feedparser-library", "$file";
@@ -766,7 +766,7 @@ foreach my $file (sort keys %{$info->index}) {
# ---------------- embedded PEAR modules
foreach my $pearmodule (@pearmodules) {
if ($file =~ m,/$pearmodule->[0], and $pkg ne $pearmodule->[1]) {
- open (PEAR, "unpacked/$file") or fail("cannot open PHP file: $!");
+ open (PEAR, '<', "unpacked/$file") or fail("cannot open PHP file: $!");
while (<PEAR>) {
if (m,/pear[/.],i) {
tag "embedded-pear-module", "$file";
diff --git a/checks/patch-systems b/checks/patch-systems
index da7a7f5..9934d46 100644
--- a/checks/patch-systems
+++ b/checks/patch-systems
@@ -215,7 +215,7 @@ sub check_patch($) {
# in the debian/* directory, but as of 2010-01-01, all cases where the
# first level of the patch path is "debian/" in the archive are false
# positives.
- open(DIFFSTAT, "-|", "diffstat -p1 -l debfiles/patches/$patch_file")
+ open(DIFFSTAT, "-|", 'diffstat', '-p1', '-l', "debfiles/patches/$patch_file")
or fail("can't fork diffstat");
while (<DIFFSTAT>) {
chomp;
diff --git a/checks/po-debconf b/checks/po-debconf
index 63fa55e..dbe0469 100644
--- a/checks/po-debconf
+++ b/checks/po-debconf
@@ -162,10 +162,10 @@ while (defined(my $file=readdir(DEBIAN))) {
}
tag "unknown-encoding-in-po-file", "debian/po/$file"
unless length($charset);
- system_env("msgfmt -o /dev/null debfiles/po/$file 2>/dev/null") == 0
+ system_env("msgfmt -o /dev/null \Qdebfiles/po/$file\E 2>/dev/null") == 0
or tag "invalid-po-file", "debian/po/$file";
- my $stats = `LANG=C msgfmt -o /dev/null --statistics debfiles/po/$file 2>&1`;
+ my $stats = `LANG=C msgfmt -o /dev/null --statistics \Qdebfiles/po/$file\E 2>&1`;
if (!$full_translation && $stats =~ m/^\w+ \w+ \w+\.$/) {
$full_translation = 1;
}
diff --git a/collection/objdump-info b/collection/objdump-info
index 803ca6f..2ad5feb 100755
--- a/collection/objdump-info
+++ b/collection/objdump-info
@@ -54,20 +54,20 @@ while (<FILES>) {
print OUT "-- $bin\n";
- system("head $bin | grep -q 'packed.*with.*UPX'");
+ system("head \Q$bin\E | grep -q 'packed.*with.*UPX'");
print OUT "objdump: $bin: Packed with UPX" if $? == 0;
- if (open(PIPE, '-|', "readelf -l $bin 2>&1")) {
+ if (open(PIPE, '-|', "readelf -l \Q$bin\E 2>&1")) {
local $/;
local $_ = <PIPE>;
print OUT $_;
close PIPE;
}
- system("objdump -T $bin >/dev/null 2>&1");
+ system("objdump -T \Q$bin\E >/dev/null 2>&1");
if ($? == 0) {
# Seems happy so slurp the full output
- if (open(PIPE, '-|', "objdump --headers --private-headers -T $bin 2>&1")) {
+ if (open(PIPE, '-|', "objdump --headers --private-headers -T \Q$bin\E 2>&1")) {
local $/;
local $_ = <PIPE>;
print OUT $_;
@@ -77,7 +77,7 @@ while (<FILES>) {
$failed = 1;
my $invalidop = 0;
my $objdumpout = '';
- if (open(PIPE, '-|', "objdump --headers --private-headers -T $bin 2>&1")) {
+ if (open(PIPE, '-|', "objdump --headers --private-headers -T \Q$bin\E 2>&1")) {
while(<PIPE>) {
$objdumpout .= $_;
if (m/Invalid operation$/) {
@@ -106,7 +106,7 @@ while (<FILES>) {
# objdump output and let the scripts handle it
print OUT $objdumpout;
- } elsif (system("readelf -l $bin 2>&1 | grep -q 'Error: Not an ELF file'") == 0) {
+ } elsif (system("readelf -l \Q$bin\E 2>&1 | grep -q 'Error: Not an ELF file'") == 0) {
print OUT "objdump: $bin: File format not recognized\n";
} else {
# We're using etch's binutils so attempt to build an output
@@ -116,7 +116,7 @@ while (<FILES>) {
my @sections;
my @symbol_versions;
- if (open(PIPE, '-|', "readelf -W -l -t -d -V $bin")) {
+ if (open(PIPE, '-|', 'readelf', '-W', '-l', '-t', '-d', '-V', $bin)) {
my $section = '';
my %program_headers;
@@ -179,7 +179,7 @@ while (<FILES>) {
close PIPE;
}
- if (open(PIPE, '-|', "readelf -W -s -D $bin")) {
+ if (open(PIPE, '-|', 'readelf', '-W', '-s', '-D', $bin)) {
print OUT "DYNAMIC SYMBOL TABLE:\n";
while(<PIPE>) {
diff --git a/lib/Util.pm b/lib/Util.pm
index 7a82d64..136a04d 100644
--- a/lib/Util.pm
+++ b/lib/Util.pm
@@ -217,7 +217,7 @@ sub file_is_encoded_in_non_utf8 {
my ($file, $type, $pkg) = @_;
my $non_utf8 = 0;
- open (ICONV, '-|', "env LANG=C iconv -f utf8 -t utf8 $file 2>&1")
+ open (ICONV, '-|', "env LANG=C iconv -f utf8 -t utf8 \Q$file\E 2>&1")
or fail("failure while checking encoding of $file for $type package $pkg");
my $line = 1;
while (<ICONV>) {
diff --git a/private/refresh-manual-refs b/private/refresh-manual-refs
index 47eb132..e61f455 100755
--- a/private/refresh-manual-refs
+++ b/private/refresh-manual-refs
@@ -134,7 +134,7 @@ sub extract_refs {
my ($fh, $manual, $title, $page, $url, $ref_re, $fields) = @_;
my @linked_pages = ();
- open(PAGE, "$page") or die "Couldn't open $page: $!";
+ open(PAGE, '<', $page) or die "Couldn't open $page: $!";
# Read until there are 2 newlines. This hack is needed since some lines in
# the Developer's Reference are cut in the middle of <a>...</a>.
diff --git a/t/tests/binaries-embedded-zlib/debian/Makefile b/t/tests/binaries-unsafe-open/debian/Makefile
similarity index 65%
copy from t/tests/binaries-embedded-zlib/debian/Makefile
copy to t/tests/binaries-unsafe-open/debian/Makefile
index 8fb317e..f06dce3 100644
--- a/t/tests/binaries-embedded-zlib/debian/Makefile
+++ b/t/tests/binaries-unsafe-open/debian/Makefile
@@ -3,7 +3,7 @@ all:
install:
install -d $(DESTDIR)/usr/bin
- install -m 755 -c dummy $(DESTDIR)/usr/bin/dummy
+ install -m 755 -c dummy $(DESTDIR)/usr/bin/'dummy||uname'
clean distclean:
rm -f dummy
diff --git a/t/tests/binaries-general/debian/basic.c b/t/tests/binaries-unsafe-open/debian/dummy.c
similarity index 56%
copy from t/tests/binaries-general/debian/basic.c
copy to t/tests/binaries-unsafe-open/debian/dummy.c
index 00f3787..54dcf61 100644
--- a/t/tests/binaries-general/debian/basic.c
+++ b/t/tests/binaries-unsafe-open/debian/dummy.c
@@ -3,5 +3,5 @@
int
main(void)
{
- printf("Hello world!\n");
+ printf("hello world\n");
}
diff --git a/t/tests/binaries-unsafe-open/desc b/t/tests/binaries-unsafe-open/desc
new file mode 100644
index 0000000..c0a1831
--- /dev/null
+++ b/t/tests/binaries-unsafe-open/desc
@@ -0,0 +1,5 @@
+Testname: binaries-unsafe-open
+Sequence: 6000
+Architecture: any
+Version: 1.0
+Description: Test for possible command execution when processing filenames
diff --git a/t/tests/binaries-unsafe-open/tags b/t/tests/binaries-unsafe-open/tags
new file mode 100644
index 0000000..55be33c
--- /dev/null
+++ b/t/tests/binaries-unsafe-open/tags
@@ -0,0 +1 @@
+W: binaries-unsafe-open: binary-without-manpage usr/bin/dummy||uname
--
Debian package checker
Reply to: